{"componentChunkName":"component---src-templates-post-template-js","path":"/clamav-note01-en","result":{"data":{"markdownRemark":{"id":"442636eb-8676-5d23-a521-96e23e78bbed","html":"
\n

This page has been machine-translated from the original page.

\n
\n

In 2024, I wanted to thoroughly read the source code of a larger product, and I decided to work with AntiVirus software, which I’m most interested in.

\n

However, unfortunately, there are almost no AntiVirus Software products whose source code is publicly available.

\n

Among them, ClamAV is almost the only AntiVirus Software that is developed as open source, primarily targeting mail gateways.

\n

Although limited to Linux environments, ClamAV also has OnAccessScan (real-time scanning) functionality using fanotify, which many recent Linux AntiVirus products utilize, making it a very useful reference product.\n(ClamAV can also be used as an on-demand scanner on Windows systems.)

\n

This time, as a starting point for understanding ClamAV’s source code, I’ve summarized the build and setup procedures for ClamAV 1.2.0.

\n\n

Table of Contents

\n\n

Prerequisites

\n

Build & Install

\n

I used the following commands to install ClamAV on Ubuntu 20.04.

\n
# Run with root user in Ubuntu 20.04\napt-get update && apt-get install -y gcc make pkg-config python3 python3-pip python3-pytest valgrind cmake check libbz2-dev libcurl4-openssl-dev libjson-c-dev libmilter-dev libncurses5-dev libpcre2-dev libssl-dev libxml2-dev zlib1g-dev cargo rustc -y\n\n# Install rust\ncurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n\n# Build and install\ngit clone https://github.com/Cisco-Talos/clamav.git\ncd clamav && mkdir -p build && cd build\ncmake ..\ncmake --build . --target install\n\n# Check install version\nclamav-config --version
\n

Reference: Unix from source (v0.104+) - ClamAV Documentation

\n

The CMakeLists.txt file in the root directory defines the build configuration for managing the build process with CMake.

\n

For ClamAV 1.2.0, it’s approximately 1300 lines, but by skimming through it, you can get a rough overview of which files are used for the build.

\n

Reference: clamav/CMakeLists.txt at clamav-1.2.0 · Cisco-Talos/clamav

\n

In the following section, you can see that the cmake directory directly under the root is set as CMAKE_MODULE_PATH, and version information is included.

\n
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})\ninclude(Version)\n\nset(PACKAGE_NAME      "${PROJECT_NAME}")\nset(PACKAGE_VERSION   "${PROJECT_VERSION}")\nset(PACKAGE_STRING    "${PROJECT_NAME} ${PROJECT_VERSION}${VERSION_SUFFIX}")\nset(PACKAGE_BUGREPORT "https://github.com/Cisco-Talos/clamav/issues")\nset(PACKAGE_URL       "https://www.clamav.net/")\nHexVersion(PACKAGE_VERSION_NUM ${PROJECT_VERSION_MAJOR} ${PROJECT_VERSION_MINOR} ${PROJECT_VERSION_PATCH})
\n

Version.cmake defines two functions: HexVersion and NumberToHex.

\n

As their names suggest, they seem to be used to convert version information values into hexadecimal strings.

\n

Reference: clamav/cmake/Version.cmake at clamav-1.2.0 · Cisco-Talos/clamav

\n

In the following section, it identifies whether the build target platform is Linux, Unix, or macOS.

\n

For Linux, the C_LINUX flag is set.

\n
# Define C_LINUX and C_BSD because CMake only defines UNIX, APPLE, WIN32, MSVC\nif(CMAKE_SYSTEM_NAME STREQUAL \"Linux\")\n    set(C_LINUX 1)\nelseif(APPLE OR CMAKE_SYSTEM_NAME MATCHES \"BSD\")\n    set(C_BSD 1)\nendif()
\n

Setup

\n

After installation, create the configuration files by copying the template configuration files.

\n

The default locations for ClamAV configuration files are as follows:

\n\n

Since these are sample files, copy them as follows to use them as configuration files:

\n
cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf\ncp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf
\n

Installed Modules

\n

When you build and install ClamAV from source, the following files will be installed.

\n

Main executables include:

\n\n

And the following libraries are also installed:

\n\n

Reference: Usage - ClamAV Documentation

\n

Create Service User Account

\n

ClamAV’s daemon and related services run under the clamav user and clamav group by default.

\n

Create the clamav user account with the following command:

\n
groupadd clamav\nuseradd -g clamav -s /bin/false -c \"Clam Antivirus\" clamav
\n

Also, set the appropriate permissions for the directories used by ClamAV:

\n
mkdir -p /usr/local/var/lib/clamav\nchown -R clamav:clamav /usr/local/var/lib/clamav\nmkdir -p /usr/local/var/log/clamav\nchown -R clamav:clamav /usr/local/var/log/clamav
\n

Create Configuration Files

\n

Edit freshclam.conf

\n

freshclam is a tool that automatically downloads the latest virus signature database.

\n

Edit the configuration file as follows:

\n
vi /usr/local/etc/freshclam.conf
\n

Key configuration items:

\n
# Comment out Example (required to use this configuration file)\n# Example\n\n# Database directory (default: /usr/local/var/lib/clamav)\nDatabaseDirectory /usr/local/var/lib/clamav\n\n# Update log file\nUpdateLogFile /usr/local/var/log/clamav/freshclam.log\n\n# Log file size limit\nLogFileMaxSize 2M\n\n# Log timestamp\nLogTime yes\n\n# syslog facility\nLogSyslog no\n\n# Run as this user\nDatabaseOwner clamav\n\n# Database mirror (default: database.clamav.net)\nDatabaseMirror database.clamav.net
\n

After editing, run freshclam to download the signature database:

\n
freshclam
\n

If the update is successful, you should see output like:

\n
ClamAV update process started at Sun Jan 28 10:00:00 2024\ndaily.cvd database is up-to-date (version: 27120, sigs: 2050127, f-level: 90, builder: raynman)\nmain.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)\nbytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
\n

Edit clamd.conf

\n

clamd is the ClamAV daemon that provides the scanning service.

\n

Edit the configuration file as follows:

\n
vi /usr/local/etc/clamd.conf
\n

Key configuration items:

\n
# Comment out Example (required to use this configuration file)\n# Example\n\n# Log file\nLogFile /usr/local/var/log/clamav/clamd.log\n\n# Log timestamp\nLogTime yes\n\n# Log file size limit\nLogFileMaxSize 2M\n\n# Run as this user\nUser clamav\n\n# Unix socket path\nLocalSocket /usr/local/var/run/clamav/clamd.sock\n\n# Fix stale socket issues\nFixStaleSocket yes\n\n# TCP socket settings (if you want to use TCP instead of Unix socket)\n# TCPSocket 3310\n# TCPAddr 127.0.0.1\n\n# Maximum number of threads for scanning\nMaxThreads 12\n\n# Maximum queue length\nMaxQueue 100\n\n# Idle timeout\nIdleTimeout 30\n\n# Exclude certain paths from scanning (use with OnAccessScan)\nExcludePath ^/proc/\nExcludePath ^/sys/\n\n# OnAccessScan settings\nOnAccessMountPath /home\nOnAccessIncludePath /home\nOnAccessExcludePath /home/clamav\nOnAccessPrevention no\nOnAccessExtraScanning yes
\n

Create the necessary directory for the Unix socket:

\n
mkdir -p /usr/local/var/run/clamav\nchown -R clamav:clamav /usr/local/var/run/clamav
\n

Enable Debug and Systemd and Rebuild

\n

To enable debugging and systemd support, rebuild ClamAV with additional options.

\n
cd /path/to/clamav/build\ncmake .. -D CMAKE_BUILD_TYPE=Debug -D ENABLE_SYSTEMD=ON\ncmake --build . --target install
\n

The Debug build type includes debugging symbols and disables optimization, making it easier to debug.

\n

With systemd support enabled, you can register clamd and freshclam as systemd services.

\n

Suppress Build Warnings

\n

If you encounter build warnings, you can suppress specific warnings by adding flags to CMakeLists.txt.

\n

For example, to suppress deprecation warnings:

\n
add_compile_options(-Wno-deprecated-declarations)
\n

Configure Detection Notifications

\n

When ClamAV detects malware, you can configure it to execute a specified script or send notifications.

\n

Configure in clamd.conf:

\n
# Command to execute when a virus is detected\nVirusEvent /usr/local/bin/virus_alert.sh %v %f
\n\n

Example notification script:

\n
#!/bin/bash\nVIRUS=$1\nFILE=$2\nDATE=$(date)\necho \"$DATE - Virus detected: $VIRUS in file $FILE\" >> /var/log/clamav/virus_detected.log\n# Add notification logic here (email, Slack, etc.)
\n

Make the script executable:

\n
chmod +x /usr/local/bin/virus_alert.sh
\n

Summary

\n

In this article, I summarized the steps to build ClamAV 1.2.0 from source code and set up OnAccessScan.

\n

Key points covered:

\n
    \n
  1. Installing dependencies and building ClamAV from source
    2. \n
  2. Creating and configuring freshclam.conf and clamd.conf
    3. \n
  3. Creating service user accounts and setting directory permissions
    4. \n
  4. Enabling debug mode and systemd support
    5. \n
  5. Configuring detection notifications
    6. \n
\n

ClamAV is a valuable resource for learning about AntiVirus implementation, especially the fanotify-based OnAccessScan feature on Linux.

\n

In future articles, I plan to dive deeper into ClamAV’s source code to understand its internal architecture and scanning mechanisms.

","fields":{"slug":"/clamav-note01-en","tagSlugs":["/tag/clam-av/","/tag/malware/","/tag/english/"]},"frontmatter":{"date":"2024-01-27","description":"Summary of the steps to build ClamAV from source code and set up OnAccessScan.","tags":["ClamAV","Malware","English"],"title":"Summary of Building ClamAV from Source Code and Setting Up OnAccessScan","socialImage":{"publicURL":"/static/34516ec698c27cd04cfd176d8c426baf/clamav-note01.png"}}}},"pageContext":{"slug":"/clamav-note01-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}